Pozdrav društvo,
Ovaj put nečem na jugoslovenački / zbog jasnosti.
I like the stuff youre doing, the education and services you provide. Platofrm for communication - this forum, email @dmz.rs… i find it important. important to own the tools you use, to understand how it works and to trust the people that mantain the infrastructure.
To avoid the MITM and have a secure connection, the certificates SSL/TLS are exchanged between the email user and the emailserver.
So how is it with the @dmz.rs service? is the service mantained by some of you, like who is changing the cetificates and where is the server situated? how much can i trust it?
hope you dont mind this kind of enquiries and if this is a good place to discuss this topic i have some more questions to post or ask the people that run it…
samo
Thanks for the OPSEC advice.
Being concerned about security - its not the serverside that i am concerned of. is more the secure way to connect that i was wondering about. In case of MITM the ssl certificate is intercepted and faked…
and while using the dmz.rs email service, the certificates were several times changed (althow the expiration date was not near the end). Thats why i had a thought about the MITM thing.
Wanted to ask the mantainer if the fingerprint of the certificate is genuine:
SHA256: 95:28:95:1C:82:A8:40:F6:24:B0:C5:81:23:91:C2:9F:81:21:7E:4A:FF:9C:D1:45:42:75:2F:EA:0C:F5:8F:8A
I’m curious, how would the certificate be faked without the client noticing? That certificate is signed by a valid certificate authority, why wouldn’t it be trustworthy?
here they write about the CA and posibility of rouge certs:
im looking more carefuly to this website encriptions… since its used for the gemini protocol and im interested in website hosting, and services that rely on this.
the answer fram3d gave - that TLS is done automatically on monthly basis. is what i was wondering about… the questions posted are done for my personal educational purpose, not in any way to question your services or expertise. thanks for the insight.
Yes, that is the right fingerprint for the current key.
Since the key is automatically renewed, it can change every month under condition that it expires in 15 days or less (I am not 100% sure about the number of days). So no need to worry if cert is changed on the beginning of the month.
Also when I added new domains in the past, I used to expand the list of domains on the existing certificate. I am not sure if that changes it or simple CA resigns it with the additional domain. I don’t really plan on continuing to do this however, so in future we can easily separate services on many different servers under control of different people. I already started doing this with latest new services, like search.dmz.rs and pastebin.dmz.rs.
For the concerns of Nation State, CA and hosting provider:
Nation State can try to subpoena ISP or our admins.
CA can issue rogue certificate to aid Nation State mitm efforts.
Hosting provider - in our case only domain name issuer can be subpoenad to redirect resolution of the DMZ.rz domain to another (In this case Nation State’s) IP address, because all content is hosted on our bare metal, they can only attack domain register.
There are some things that we can do to better protect: